cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
823843
Views
19
Helpful
8
Comments
TCC_2
Level 10
Level 10

 

Introduction

How to define the VLANs allowed on a trunk link.

Resolution

When a trunk link is established, all of the configured VLANs are allowed to send and receive traffic across the link. VLANs 1 through 1005 are allowed on each trunk by default. However, VLAN traffic can be removed from the allowed list. This keeps traffic from the VLANs from passing over the trunk link.

Note: The allowed VLAN list on both the ends of the trunk link should be the same.

For Integrated Cisco IOS  Software based switches

perform these steps:   

  1. To restrict the traffic that a trunk carries, issue the switchport trunk vlan-list interface configuration command.

    This removes specific VLANs from the allowed list.

    Note: VLANs 1 and 1002 through 1005 are reserved VLANs and cannot be removed from any trunk link.

    The vlan-list parameter is either a single VLAN ID or a range of VLAN IDs. This parameter is described by two VLAN numbers separated by a hyphen. Do not enter any spaces between comma-separated VLAN IDs or in hyphen-specified ranges.

    For example, to remove VLANs 5 through 10 and 12 from the trunk, issue the switchport trunk allowed vlan remove 5-10, 12 command. 

  2. To add a VLAN to the trunk, issue the switchport trunk allowed vlan add vlan-list command. 

  3. This example shows how to remove VLANs 5 through 10 and 12.

    Add VLAN 7 back and verify the allowed VLANs on the trunk link.

       
        c3550#configure terminal
      Enter configuration commands, one per line.  End with CNTL/Z.
      c3550(config)#int fa0/2
      c3550(config-if)#switchport trunk encapsulation dot1q
      c3550(config-if)#switchport mode trunk
      c3550(config-if)#switchport trunk allowed vlan remove 5-10,12
      c3550(config-if)#switchport trunk allowed vlan add 7
      c3550(config-if)#end
      c3550#show interfaces fastEthernet 0/2 trunk
    
    Port        Mode         Encapsulation  Status        Native vlan
    Fa0/2       on           802.1q         trunking      1
    
    Port     Vlans allowed on trunk
    Fa0/2    1-4,7,11,13-4094
    
    Port        Vlans allowed and active in management domain
    Fa0/2       1
    
    Port        Vlans in spanning tree forwarding state and not pruned
    Fa0/2       1
    c3550# 
    

For Catalyst OS (CatOS) Software based switches

perform these steps: 

Note: Even when the VLAN is removed from the port, the trunk remains in On state.

  1. When you first configure a port as a trunk port, the set trunk command always adds the VLANs to the allowed VLAN list for the trunk link.

    Even if you specify a VLAN range, it is ignored.

  2. To modify the allowed VLANs list, use a combination of the clear trunk or set trunk commands to specify the allowed VLANs.       
  3. To remove VLANs from the allowed VLANs list for a trunk, issue the clear trunk mod_num/port_num vlans command.       
  4. To add specific VLANs to the allowed VLANs list for a trunk, issue the set trunk mod_num/port_num vlans command.       
  5. To verify the allowed VLAN list for the trunk, issue the show trunk mod_num/port_num command.

Example

This example shows:

              
Console> (enable) clear trunk 1/1 101-499
Removing Vlan(s) 101-499 from allowed list.
Port 1/1 allowed vlans modified to 1-100,500-1005.
Console> (enable) set trunk 1/1 250
Adding vlans 250 to allowed list.
Port(s) 1/1 allowed vlans modified to 1-100,250,500-1005.
Console> (enable) show trunk 1/1
Port      Mode         Encapsulation  Status        Native vlan
--------  -----------  -------------  ------------  -----------
1/1      desirable    isl            trunking      1
Port      Vlans allowed on trunk
--------  ---------------------------------------------------------------------
1/1      1-100,250,500-1005
Port      Vlans allowed and active in management domain
--------  ---------------------------------------------------------------------
1/1      1,521-524
Port      Vlans in spanning tree forwarding state and not pruned
--------  ---------------------------------------------------------------------
1/1      1,521-524
Console> (enable) 
  • How to verify the allowed VLAN list for the trunk           
  • How to define the allowed VLANs for trunk port 1/1           
  • How to allow VLANs 1 through 100, VLAN 250 and VLANs 500 through 1005

Reference

For more information on configuring VLANs on Catalyst switches, refer to Creating Ethernet VLANs on Catalyst Switches.

Comments
charitha1013
Level 1
Level 1

Switchport trunk allowed vlan all

What is the advantage of allowing certain vlans vs allowing all? Currently we have all vlans allowed in the network and want to allow only certain vlans instead; how can we determine which vlans to be allowed?

Appreciate response in this regards. Thanks

steinmannb
Level 1
Level 1

If the network administrator can't tell the purpose of the various VLANs you have a secious problem! VLANs are used to have just one backbone but providing "shielded" separate networks within that infrastructure. Like having Internet in one VLAN and the internal stuff in another.

As an example for allowing only specific VLANs imagine a company that has an ICT department that provides the network backbone and the programmer department is having some ESX servers running. The network card going to the ESX server should only allow the VLANs used by the programmers to inhibit them creating a VM that has a NIC in the wrong VLAN. Like they think they know what they do but (unintentionally) enter the wrong VLAN ID and putting a VM in your production server VLAN disrupting your whole server park.

If you want to see the VLANs on a switch and which access port is member of which VLAN issue the command "show vlans" to get a nice list. For the ports in trunk mode this will not help thus you have to check the device attached to the port for its configuration. All in all coming back to the question: why did you allow all VLANs on all trunk ports ultimately resulting in not beeing able to answer the question which device is member of which VLAN. Thus always have a perfect documentation and/or use the "switchport trunk allowed vlan" command to limit to the necessary.

natapovmb
Level 1
Level 1

Mistake in printing command, must be:

"1. To restrict the traffic that a trunk carries, issue the switchport trunk allowed vlan vlan-list interface command"

sruz
Community Member

I would say it depends on the situation, for instance I am the Network Administrator for a High School, each classroom has a Wireless Access Point and a VoIP phone. Its a very old infrastructure (only one copper drop per classroom).   

I'm not 100% sure why but our VoIP phones need to grab two IP addresses from two different VLANs for them to work.

Our Access Points are on a specified VLAN per building.

The copper directly connects to the Access Point, and the AP has an additional 100mb port that we connect the phone to.

Clearly this would need to be a trunked port for all the devices to work, but why bombard the port and devices with traffic from every single VLAN in the infrastructure (ours has about 30), when all we need is traffic from the 3 VLANs? 

So the advantage for us is clearly less overhead on the port and devices connected to it.

I've also heard of Administrators doing this in the backbone of the network for load balancing. 

Shadow_200
Level 1
Level 1

@charitha1013 

its depend on what is requirment in  network.If I am using OOB vlan on switch which is directly connected to core and in cascade switch I am sure that no single user will connect from OOB team then i will definetly not pass that Vlan in downlink of access switch.

cowboycraig73
Level 1
Level 1

Much better to prune vlan's on trunks and port-channels from the start.
Without fail allowing all, will one day need to be pruned.

"switchport trunk allowed vlan add/remove ###" is easier to manage from the start and a good spiritual practice.

khnrjm
Level 1
Level 1

I would define in the distribution layer, on the layer 3 switch or router, on the port channel, which vlan to allow on that interface.

interface Port-channel10
switchport trunk allowed vlan 10,20,30,40
switchport mode trunk
switchport nonegotiate

RGWB
Level 1
Level 1

This was a great help with a rapid-pvst troubleshooting lab I'm working on. The interfaces I was looking for (g1/0-2) were not in the output of the show spanning-tree vlan 1 command even though the interfaces were up, up. I executed the following commands 

(config)#int range g1/0-2
(config-if)#switchport trunk allowed vlan add 1

re-ran show spanning-tree vlan 1 and the interfaces were listed. Appreciate you sharing! 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: